Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label WordFence. Show all posts

Critical WordPress Plugin Vulnerability Enables Hackers To Exploit Over 1M Sites


Threat actors are apparently exploiting two security flaws in the Elementor Pro and Ultimate Addons for Elementor WordPress plugins, in an effort to remotely execute arbitrary code and completely compromise unpatched targets.

As reported by the Threat Intelligence team at Wordfence, reports of threat actors attempting to exploit the two issues in ongoing attacks had appeared as of May 6.

Elementor Pro 

Elementor Pro is a paid plugin with an estimated number of over 1 million active installs, enabling users to quickly and easily develop WordPress websites from scratch, with the aid of a built-in theme builder, a visual form widget designer, and custom CSS support.

The Elementor Pro vulnerability is an RCE (Remote Code Execution) bug rated as Critical. It enables attackers with registered user access to upload arbitrary files to the affected websites and remotely execute code.

In order to preserve access to the compromised sites, attackers who successfully exploit this security issue can either install backdoors or webshells, obtain full admin access to completely compromise the site, or even entirely eliminate the site.

In case they are unable to register as users, they can exploit the second vulnerability in the over 110,000-site-installed Ultimate Addons for Elementor WordPress plugin, which will let them sign up as subscriber-level users on any site using the plugin even if user registration is disabled.

"Then they proceed to use the newly registered accounts to exploit the Elementor Pro [..] vulnerability and achieve remote code execution," as Wordfence discovered.

Mitigation Measures 

In order to protect oneself from the ongoing attacks, it is advised to update your Elementor Pro to version 2.9.4, that patches the remote code execution vulnerability.

Users of the Ultimate Addons for Elementor will have to upgrade to version 1.24.2 or later. To be sure that your website has not already been compromised, Wordfence advises taking the following actions:

  • Check for any unknown subscriber-level users on your site. 
This may indicate that your site has been compromised as a part of this active campaign. If so, remove those accounts. 
  • Check for files named “wp-xmlrpc.php.” 
These may indicate any compromise. So, it is advised to check your site for evidence of this file. 
  • Delete any unknown files or folders found in /wp-content/uploads/elementor/custom-icons/ directory.
The presence of files here following the creation of a rogue subscriber-level account is an obvious indication of compromise.  

WordPress Sites Affected by Bugs in Gutenberg Template Library and Redux Framework

 

The Gutenberg Template Library & Redux Framework plugin for WordPress, which is deployed on over 1 million websites, has two vulnerabilities. According to the researchers, these might enable arbitrary plugin installation, post deletions, and access to potentially sensitive information about a site's configuration. Redux.io's plugin provides a variety of templates and building blocks for developing web pages in WordPress' Gutenberg editor. 

This plugin is a collection of WordPress Gutenberg blocks that allow publishers to quickly create websites using pre-built “blocks” while utilizing the Gutenberg interface. 

The first vulnerability (CVE-2021-38312) is rated as high-severity on the CVSS scale, with a score of 7.1 out of 10. It's caused by the plugin's use of the WordPress REST API, which handles requests to install and manage blocks. According to Wordfence, it fails to properly allow user permissions. 

The WordPress REST API allows apps to communicate with the user's WordPress site by sending and receiving data in JSON (JavaScript Object Notation) objects. It's the backbone of the WordPress Block Editor, and it may also help the user's theme, plugin, or custom app create new, more sophisticated interfaces for managing and publishing the user's site's content. 

“While the REST API Endpoints registered under the redux/v1/templates/ REST Route used a permission_callback to verify a user’s permissions, this call-back only checked whether or not the user sending the request had the edit_posts capability,” Wordfence researchers said in a Wednesday posting. Users with lower rights, such as contributors and authors, may utilize the redux/v1/templates/plugin-install endpoint to install any plugin from the WordPress repository, or the redux/v1/templates/delete_saved_block endpoint to delete posts, according to the researchers. 

The second vulnerability, a medium-severity flaw (CVE-2021-38314), has a CVSS score of 5.3. It exists because the Gutenberg Template Library & Redux Framework plugin registers numerous AJAX actions that are available to unauthenticated users, one of which is deterministic and predictable, allowing for the discovery of a site's $support_hash. 

“This $support_hash AJAX action, which was also available to unauthenticated users, called the support_args function in redux-core/inc/classes/class-redux-helpers.php, which returned potentially sensitive information such as the PHP version, active plugins on the site and their versions, and an unsalted md5 hash of the site’s AUTH_KEY and SECURE_AUTH_KEY,” according to Wordfence. An attacker may use the information to plot a website takeover using other vulnerable plugins, according to the researchers.

Several Critical Flaws Identified in WordPress Plugin

 

Wordfence researchers warned of multiple flaws in a popular WordPress plugin that allows an attacker to upload arbitrary files to a vulnerable site to achieve remote code execution (RCE). On May 27, researchers discovered four security vulnerabilities, which were all assigned a high CVSS score of 9.8. 

The first issue discovered was a privilege escalation flaw CVE-2021-34621. “During user registration, users could supply arbitrary user metadata that would get updated during the registration process. This included the wp_capabilities user meta that controls a user’s capabilities and role. This made it possible for a user to supply wp_capabilities as an array parameter while registering, which would grant them the supplied capabilities, allowing them to set their role to any role they wanted, including the administrator,” researchers explained.

In addition, there was no check to validate that user registration was enabled on the site, meaning users could register as an administrator even on sites where user registration was disabled. This meant that attackers could completely take charge of a susceptible WordPress site. 

CVE-2021-34622, the second flaw in the user profile update functionality, uses the same technique as above but requires an attacker to have an account on a vulnerable site for the exploit to work. 

“However, since the registration function did not validate if user registration was enabled, a user could easily sign up and exploit this vulnerability, if they were not able to exploit the privilege escalation vulnerability during registration,” according to Wordfence researchers. 

Arbitrary file upload is the third flaw present in the image uploader component (CVE-2021-34623). The image uploader in ProfilePress was insecurely implemented using the exif_imagetype function to determine whether a file was safe or not. An attacker could disguise a malicious file by uploading a spoofed file which would bypass the exif_imagetype check.

CVE-2021-34624, the fourth and the last flaw present in the plugin’s ‘custom fields’ functionality, which also checks for malicious files, could be exploited to achieve RCE.

ProfilePress, formerly known as WP User Avatar, facilitates the uploading of WordPress user profile images and is installed on over 400,000 sites. Its only functionality was to upload photos; however, a recent change saw the plugin augmented with new features including user login and registration. Unfortunately, the new features introduced several security flaws. 

Chloe Chamberland, threat analyst at Wordfence discovered the bug by using a tool called WPDirectory to search the WordPress plugin repository for specific lines of code. “I did a routine search for wp_ajax hooks and found that this plugin had introduced some new AJAX actions that I hadn’t previously noticed before, which led to me further investigating them,” the researcher told.